UNC6692 Combines Social Engineering, Malware, Cloud Abuse TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsСloud SecurityHackers Use AI for Exploit Development, Attack AutomationHackers Use AI for Exploit Development, Attack AutomationbyAlexander CulafiMay 11, 20264 Min ReadСloud SecurityAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsbyNate NelsonMay 7, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryСloud SecurityThreat IntelligenceApplication SecurityCyberattacks & Data BreachesNewsUNC6692 Combines Social Engineering, Malware, Cloud AbuseA newly discovered threat actor is using Microsoft Teams, AWS S3 buckets, and custom "Snow" malware in a multipronged campaign.Alexander Culafi,Senior News Writer,Dark ReadingApril 27, 20264 Min ReadSource: Marc Muench via Alamy Stock PhotoA new threat actor is combining social engineering techniques, abuse of legitimate cloud infrastructure, and custom malware together to create what appears to be novel attack chain. Google Threat Intelligence Group (GTIG) and Mandiant on April 23 published a blog post detailing the activities of a threat actor tracked as UNC6692. While the researchers did not attribute the threat actor to any previously established identity or location ( calling it only a "newly tracked threat group"), they described a multistage intrusion campaign leveraging both persistent social engineering and custom modular malware.The attack also involves the abuse of legitimate cloud infrastructure in the form of an AWS S3 bucket.A Google spokesperson tells Dark Reading that based on observed attacker tactics, techniques, and procedures (TTPs), the researchers suspect the UNC6692 is financially motivated. "Their operations appear focused on gaining access and stealing credentials for further actions," the blog post authors added.Related:Hackers Use AI for Exploit Development, Attack AutomationDark Reading asked about the attacker's point of origin, but because it utilized AWS infrastructure, Google was unable to obtain evidence pointing to a possible attribution. The UNC6692 Attack ChainIn late December, UNC6692 conducted a campaign where it flooded a target's inbox with email messages before contacting them through Microsoft Teams, posing as help desk personnel assigned to fix the problem. The attacker provided a phishing link through the Teams message, prompting the target to click a link that installs a local patch to fix and prevent email spamming. The target clicked the link and opened an HTML page which "ultimately downloaded a renamed AutoHotKey binary and an AutoHotkey script, sharing the same name, from a threat actor-controlled AWS S3 bucket.""If the AutoHotkey binary is named the same as a script file in its current directory, AutoHotkey will automatically run the script with no additional command line arguments," the blog post read. "Evidence of AutoHotKey execution was recorded immediately following the downloads resulting in initial reconnaissance commands and the installation of SNOWBELT, a malicious Chromium browser extension (not distributed through the Chrome Web Store)."Through the Snowbelt extension now installed on the user's computer, UNC6692 downloaded the Python tunneler Snowglaze, the Python bindshell Snowbasin (a persistent backdoor for remote code execution), AutoHotkey scripts, and "a ZIP archive containing a portable Python executable and required libraries."Related:After Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsOnce they gained initial access, the attacker used a Python script to scan the local network for ports 135, 445, and 3389 and enumerate local administrator accounts. They then used a local administrator account to initiate a remote desktop protocol (RDP) session through Snowglaze from the victim system to a backup server. Now with access to the backup server, the threat actor further uses the local admin account to extract the system's LSASS Microsoft Windows Local Security Authority Subsystem Service (LSASS) process memory. LSASS is used to enforce security policy and contains all usernames, passwords, and hashes for accounts that have accessed the target system. UNC6692 then extracted the process memory via LimeWire before using offensive security tools to extract credentials without fear of detection.Finally, UNC6692 used a pass-the-hash technique to move laterally to the network's domain controller, preparing the threat actor to further stage and extract data of interest. Google's blog post contained indicators of compromise (IOCs) and YARA rules.UNC6692: Defender TakeawaysUNC6692's attack presents a blend of social engineering, technical evasion, and a multipronged malware strategy. Google highlighted the "systematic abuse of legitimate cloud services for payload delivery and exfiltration, and for command-and-control (C2) infrastructure," in the form of the S3 bucket. Related:If AI's So Smart, Why Does It Keep Deleting Production Databases?This abuse, Google said, enables attackers to bypass traditional network reputation filters and blend into legitimate cloud traffic. "Defenders must now look beyond process monitoring to gain clear visibility into browser activity and unauthorized cloud traffic," the authors wrote. "As threat actors continue to professionalize these modular, cross-platform methodologies, the ability to correlate disparate events across the browser, local Python environments, and cloud egress points will be critical for early detection."In a statement, an AWS spokesperson tells Dark Reading stating that the company prohibits the abuse of its product in its terms of service, and if anyone suspects such abuse may be taking place, they can report it to AWS Trust & Safety through the appropriate form.“AWS has clear terms that prohibit the use of our services to violate the security, integrity, or availability of others," the spokesperson says. "When we receive reports of potential violations of our terms, we act quickly to review and take appropriate action."About the AuthorAlexander CulafiSenior News Writer, Dark ReadingAlex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels.See more from Alexander CulafiWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security Management2025 State of MalwareAccess More ResearchWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspacePrompt Injection Is Just the Start: Securing LLMs in AI SystemsAnatomy of a Data Breach: What to Do if it Happens to YouHow Well Can You See What's in Your Cloud?Implementing CTEM: Beyond Vulnerability ManagementMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceWed, June 24,2026 at 1pm ESTPrompt Injection Is Just the Start: Securing LLMs in AI SystemsTues, May 26, 2026, at 1pm ESTAnatomy of a Data Breach: What to Do if it Happens to YouJune 18th, 2026 | 11:00am -5:00pm ET | Doors Open at 10:30am ETHow Well Can You See What's in Your Cloud?Thurs, June 4, 2026 at 1:00pm ESTImplementing CTEM: Beyond Vulnerability ManagementThurs, May 21, 2026 at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

UNC6692 represents a sophisticated and evolving threat actor, UNC6692, combining social engineering, malware abuse, and cloud infrastructure exploitation. According to a report by Google Threat Intelligence Group (GTIG) and Mandiant, this actor utilizes a multi-stage intrusion campaign centered around Microsoft Teams, AWS S3 buckets, and a custom malware strain dubbed “Snow.” The core objective appears to be credential theft through persistent reconnaissance and lateral movement within victim networks. Initially, the campaign began with a flood of phishing emails via Teams, leading victims to click malicious links that installed a local AutoHotKey binary and script, downloaded from an attacker-controlled AWS S3 bucket. This initial infection leveraged AutoHotKey to conduct reconnaissance, identifying ports and enumerating local administrator accounts.

Subsequently, the attacker gained access to a backup server through a Remote Desktop Protocol (RDP) session initiated via the Snowglaze Chromium browser extension. Snowglaze then downloaded additional malware components, including a Python tunneler (Snowbasin) for persistent remote code execution, and a Python bindshell. The attacker utilized these tools to extract Local Security Authority Subsystem Service (LSASS) memory, containing usernames, passwords, and hashes. This information was obtained using a pass-the-hash technique to facilitate lateral movement to the domain controller, prepared for further data exfiltration. A key element of the campaign is the abuse of legitimate cloud services, specifically AWS S3, for payload delivery and command-and-control (C2) infrastructure, effectively bypassing traditional network reputation filters. The authors note a potential financial motivation, highlighting the attacker’s focus on gaining access and stealing credentials. GTIG researchers tracked the threat actor as UNC6692 and released indicators of compromise (IOCs) and YARA rules to aid in detection. Defenders are advised to broaden their monitoring scope beyond traditional process monitoring to include browser activity and authorized cloud traffic. The unique approach utilizing modular malware and cross-platform methodologies necessitates correlating disparate events across browsers, local Python environments, and cloud egress points for early detection. AWS responded to the incident, confirming its prohibition of abuse of its services and emphasizing the importance of reporting violations through its Trust & Safety program.